Tags: google-speech-recognition 

Rating:

## YACS2 - yet another captcha solver (PPC)

###ENG
[PL](#pl-version)

The task looks very similar to the one from last year - we have a captcha recorded in a .wav file.
The captcha contains only numbers.
We are supposed to solve 3000 of them to get the flag.
Apart from that the captcha is distorted by a constant background noise.

Example: [captcha](captcha.wav)

We solved this with very little effort, using solver we developed last year.
The fun part is that this solver was not good enough last year and we had to make a different one, but this time it worked out-of-the-box.

Instead of trying to remove the noise and then match some byte patterns for numbers, we just used Google Speech Recognition :)

So we just download the captcha, solve it, send response and repeat this 3000 times to get the flag.

```python
import codecs
import os
import urllib
import urllib2
import speech_recognition as sr

url = 'http://yacst2.2016.volgactf.ru:8090/captcha'

opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'JSESSIONID=s4Re0bJa4po1O8wPS9yGxF9FKxO4afQEnJbhhjiZ'))

post_opener = urllib2.build_opener(urllib2.HTTPHandler())
post_opener.addheaders.append(('Cookie', 'JSESSIONID=s4Re0bJa4po1O8wPS9yGxF9FKxO4afQEnJbhhjiZ'))

def download_wav():
wav = opener.open(url).read()
with codecs.open("captcha.wav", mode="wb") as output:
output.write(wav)

def convert_to_speech2():
r = sr.Recognizer()
with sr.WavFile('captcha.wav') as source:
audio = r.record(source)
return r.recognize(audio)

def send_response(result):
try:
data = urllib.urlencode({'captcha': result})
return post_opener.open(url, data=data).read()
except:
pass

def removeFile():
os.remove("captcha.wav")

def main():
for i in range(3000):
try:
print(i)
download_wav()
result = convert_to_speech2()
print(result)
removeFile()
response = send_response(result)
except:
pass

main()
```

After the last one we are redirected to the flag:

`VolgaCTF{Sound IS L1ke M@th if A+B=C THEN C-B=A}`

###PL version

Zadanie jest bardzo podobne do zadania z zeszłego roku - mamy dźwiękowy kod captcha zapisany w pliku .wav.
Captcha zawiera tylko liczby.
Mamy do rozwiązania 3000 kodów aby uzyskać flagę.
Dodatkowo captcha jest zniekształcona poprzez dodanie stałego dźwięku w tle.

Przykład: [captcha](captcha.wav)

Rozwiązaliśmy to zadanie bardzo niewielkim nakładem pracy, używając solvera napisanego rok temu.
Co ciekawe, rok temu ten solver nie był wystarczająco dobry i musieliśmy zrobić inny, ale tym razem zadziałał od razu.

Zamiast próbować usuwać zniekształcenie a następnie dopasowywać wzorce bajtów do numerów w captchy, użyliśmy Google Speech Recognition :)

Pobieramy więc captche, rozwiązujemy ją i odsyłamy wynik, to wszystko powtarzamy 3000 razy i dostajemy flagę.

```python
import codecs
import os
import urllib
import urllib2
import speech_recognition as sr

url = 'http://yacst2.2016.volgactf.ru:8090/captcha'

opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'JSESSIONID=s4Re0bJa4po1O8wPS9yGxF9FKxO4afQEnJbhhjiZ'))

post_opener = urllib2.build_opener(urllib2.HTTPHandler())
post_opener.addheaders.append(('Cookie', 'JSESSIONID=s4Re0bJa4po1O8wPS9yGxF9FKxO4afQEnJbhhjiZ'))

def download_wav():
wav = opener.open(url).read()
with codecs.open("captcha.wav", mode="wb") as output:
output.write(wav)

def convert_to_speech2():
r = sr.Recognizer()
with sr.WavFile('captcha.wav') as source:
audio = r.record(source)
return r.recognize(audio)

def send_response(result):
try:
data = urllib.urlencode({'captcha': result})
return post_opener.open(url, data=data).read()
except:
pass

def removeFile():
os.remove("captcha.wav")

def main():
for i in range(3000):
try:
print(i)
download_wav()
result = convert_to_speech2()
print(result)
removeFile()
response = send_response(result)
except:
pass

main()
```

Po ostatnim kodzie zostajemy przekierowani do flagi:

`VolgaCTF{Sound IS L1ke M@th if A+B=C THEN C-B=A}`

Original writeup (https://github.com/p4-team/ctf/tree/master/2016-03-26-volga2016-quals/yacs2).